the safety of the intendedfunctionality · 2019. 1. 29. · presented by iso/tc22/sc32/wg8 the...

Presented by ISO/TC22/SC32/WG8

The Safety of the Intended Functionality

Report on ISO/TC22/SC32/WG8 activities

Geneva, 31/01/2019

Nicolas Becker, ISO21448 project leader

Transmitted by the expert from ISO Informal document GRVA-02-322nd GRVA, 28 January – 1 Februar 2019Agenda item 5(a)


CONTENT

• Safety aspects of automated driving• Motivation – What is the Safety of the Intended

Functionality (SOTIF)?• ISO/PAS 21448 status and activities• Connection with Automated Driving (AD) regulatory

activities• Summary

2


Safety aspects for an automated driving system

The automateddriving system is

safe

Its failures are adequatelyavoided or mitigated

Its behaviour is adequate for the intended operation domain

ISO26262 : Functional SafetyHazard Analysis and Risk AssessmentDesign, Verification and Validation (V&V) requirementsSafety management

ISO/PAS 21448 : Safety of the Intended FunctionalityScenario identification incl. Reasonably foreseeable misusesFunctional improvementsV&V strategy

Other safety requirements (incl

Cybersecurity, passive safety, etc)

scScope of ISO/TC22/SC32/WG8

PresenterPresentation NotesThe ISO/TC22/SC32/WG8 deals with functional safety, ISO/PAS21448 complements the ISO26262 by addressing non-fault conditions. Other safety requirements are important but addressed in other working groups.


SOTIF EXAMPLE

Automatic emergency braking feature :

4

triggering events

camera

unintended braking could be caused by limitations in perceptionsystem

• weather (rain/sun/fog)• misinterpretation of image• …

PresenterPresentation NotesThis is an example of a SOTIF-relevant functionality : a camera-based automatic emergency braking system, whose intention is to brake the vehicle in the case of an imminent crash. An unwanted braking can be a safety-relevant condition, as it can lead to a crash from a close tailing vehicle. This unwanted braking can be caused by an incorrect detection of the scene by the camera, called ‘triggering event’ in ISO PAS 21448.


KEY ASPECTS OF 21448 - SOTIF

• ISO/PAS 21448 publication 01/2019• Focuses on driver assistance features with SAE automation levels 1 and 2• Covers potentially hazardous behavior under non-fault conditions

• Caused by technological or system limitations• Includes evaluation of reasonably foreseeable misuse

• Provides guidance for design, verification and validation measures• Issued as publicly available specification (PAS) (and not as an ISO standard) to enable fast

publication• Includes high-level requirements on the objectives to achieve in the SOTIF analyses, and

informative guidance on how to achieve them

• The work on ISO 21448 started in 11/2018• Extension to higher levels of automation (up to Level 5)• Significant interest in this work

• 18 countries• 80 experts in Plenary featuring worldwide OEMs, Tier 1 and Tier 2 suppliers, and governmental institutes

• Publication targeted for 2022

5


CATEGORIZATION OF REAL-LIFE DRIVING SCENARIOS

Known Unknown

Safe Area 1Nominal behavior

Area 4System robustness

Potentially hazardous

Area 2Identified systemlimitations

Area 3“Black swans”

6

PresenterPresentation NotesISO/PAS 21448 is based on a possible classification of every real-life driving scenario under two aspects : has it been identified by the development organization (known/unknown), and has it the ability to lead to harm (safe/potentially hazardous). This lead to four potential categories, with dedicated SOTIF activities. The following slides provide examples for these categories.



Known Unknown






7



Known Unknown




Area 2 Area 3

8



Known Unknown






9



Known Unknown




Area 2 Area 3

10

PresenterPresentation NotesThis illustrates a scenario that might not have been identified during development. Depending on the vehicle reaction, this could lead to an unsafe outcome and therefore be an Area 3 scenario.


11

Flow

char

tof S

OTI

F Ac

tiviti

es (I

SO/P

AS 2

1448

, Fig

. 9)

PresenterPresentation NotesThe numbers in circle denote the ISO/PAS 21448 section related to this activity.


VERIFICATION AND VALIDATION ACTIVITIES

Known Unknown

Safe Area 1Normal validation

Area 4Not applicable


Area 2V&V of the adequatebehaviour of the system, incl. of the functional improvements

Area 3Qualitative and Quantitative evaluation of the residualscenarios

12


RESIDUAL SCENARIOS EVALUATION – QUANTITATIVE APPROACH FOR AREA 3• The ISO/PAS 21448 indicates that :

• A quantitative target is defined for the demonstration that the unknown/unsafe scenarios are sufficiently implausible, e.g. a maximum probability of incorrect behavior per hour.

• The PAS however does not specify normative quantitative target values• This quantitative target considers applicable regulations, standards and relevant traffic

statistics. • The validation strategy shall provide demonstration that this target is met

• This quantitative approach is NOT a criteria that would allow to ignore a plausible potentially hazardous scenario : those must be addressed anyhow

• It is ONLY a criteria to claim sufficient validation coverage at the time of the beginning of customer activation of the functionality

• For a SAE level 1 or 2 functionality in the scope of the PAS, this leads to a validation strategy that is in the order of what a captured fleet can achieve

• For a SAE level 3+ functionality in the scope of the future ISO21448, the target derived through this approach are much more stringent., The validation will therefore require techniques in addition to the road tests, for instance a higher contribution of simulations. This is a primary topic for the future ISO21448.

• The procedure for the demonstration on how these targets are met is still a topic of discussion.

13


HOW CAN ISO21448 SUPPORT AV REGULATION?

• ISO 21448 will provide a consensus from the ISO experts on the framework to design and demonstrate the Safety of the Intended Functionality

• A first draft will be available for voting and commenting in 2020• It will describe an integrated, scenario-based approach, for the demonstration of the safety of

the intended functionality, contributing to the safety evaluation of automated driving systems• The approach to ensure the safety of the intended functionality combines several activities :

• Design–level analyses of the system, its performances and its operating environment• Qualitative and quantitative evaluations• V&V techniques based on simulation, tests in specified scenarios, and captured fleet in real

driving to maximize coverage• Quantitative justification of sufficient validation, derived from comparable human-driven behaviour• It augments the ISO26262 guidance with non-fault conditions considerations.

14


OPEN DISCUSSION POINTS

• Requirements that should be confirmed in an AD regulation• Overall framework for SOTIF demonstration• Acceptance condition for the identified residual risks :Under which conditions of implausibility is a potentially

potentially hazardous behavior acceptable? => Societal issue• Acceptance condition for the end-of-validation milestone : is the proposed argument for sufficient validation

acceptable?

• Demonstration of compliance to future AD regulation• The intention of 21448 is to provide a demonstration framework to support the safety evaluation of an automated

driving functionality

• What future connections between ISO and UN/ECE on the SOTIF?• How to ensure a continued exchange of knowledge and information between the GRVA and the ISO committee?

15

The Safety of the Intended Functionality��Report on ISO/TC22/SC32/WG8 activities��Geneva, 31/01/2019��Nicolas Becker, ISO21448 project leaderSlide Number 2Safety aspects for an automated driving systemSlide Number 4Slide Number 5Slide Number 6Slide Number 7Slide Number 8Slide Number 9Slide Number 10Slide Number 11Slide Number 12Slide Number 13Slide Number 14Slide Number 15

the safety of the intendedfunctionality · 2019. 1. 29. · presented by iso/tc22/sc32/wg8 the...

Documents